From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8FBA23DEFE7 for ; Fri, 29 May 2026 12:02:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.15 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780056175; cv=none; b=FmKVSA9YT6i2aR17CrtmUGdxtcp05ulayXJMLZkKJII5f0IihzPEcOvDHYd4EIFu1gS0wKAYJZCJc6ELwUt6M1nM5ag/YiEuSdrJd1Fxbl/aTZRHz8aeM5Yx3tLf630errvLCnyDW7Iob9IG+9Y4OShoD7V4k+7qJbGU3orGW9c= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780056175; c=relaxed/simple; bh=TZy73E+3IaSpE5wUpSsjK15CVH/hei5A9B1e1I4n2C8=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=f1Uh9/jhj5QXg24xCKjhGCKspfavAeC+FcLCw7FB036Ah1yUJE1ptILembQzCzcmcrbLKvUmsVCRqM6OtV8X+wJOUdvLzWv3xeWya+S7dIPTCQa3FVANF0PSwuyR+OLV7KGQNutsn/435WJTx6MqIQO73my5MqqQ3UmLSdYnjek= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com; spf=pass smtp.mailfrom=linux.intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=Xv0vGV+Z; arc=none smtp.client-ip=192.198.163.15 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="Xv0vGV+Z" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1780056175; x=1811592175; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=TZy73E+3IaSpE5wUpSsjK15CVH/hei5A9B1e1I4n2C8=; b=Xv0vGV+Zc3L+MdLRWDGXvicugnvk07LS3Dp+F7Ba/xM4QodDq5zL/SX5 y21G8J9dPXkf2x7qe/9xFbbWuJe9uuu2Sbf50KrxXU3/M3/74NL4E40kX J/VQqw1OQPDS+AtIUkXU/s07ILcpHZ4JQ92F5Uy8n5xQX+ONJbCQU1Oh/ tJJixP1PpRT6OULWpwNUr+H8VbDZclsYADiw7aHs4f0elKa39dWPN6hPb LK4OxxF++BvaJODrnW2kv9mzkbtx0+5kwrqpXppLi5iUl9NUesldDj0rH Iu7CvV/x0WHNAKGiip9caQ+yefhR8ZQ7mTN5YPAj8uz8adpq2gYvzV3l6 Q==; X-CSE-ConnectionGUID: OtaeL1FDRBGu3PFtn0Ahjg== X-CSE-MsgGUID: aI7yuV6FQRa7QLLH/42i8A== X-IronPort-AV: E=McAfee;i="6800,10657,11800"; a="81021367" X-IronPort-AV: E=Sophos;i="6.24,175,1774335600"; d="scan'208";a="81021367" Received: from fmviesa007.fm.intel.com ([10.60.135.147]) by fmvoesa109.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 May 2026 05:02:54 -0700 X-CSE-ConnectionGUID: 4Sb1i9p2Qi+eXKb1fuE7WA== X-CSE-MsgGUID: bV4inkxeTmOMvhNb/7R5GA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.24,175,1774335600"; d="scan'208";a="239832279" Received: from akacprow-dev3.igk.intel.com ([10.91.220.47]) by fmviesa007-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 May 2026 05:02:52 -0700 From: Andrzej Kacprowski To: dri-devel@lists.freedesktop.org Cc: oded.gabbay@gmail.com, jeff.hugo@oss.qualcomm.com, lizhi.hou@amd.com, karol.wachowski@linux.intel.com, dawid.osuchowski@linux.intel.com, Andrzej Kacprowski , stable@vger.kernel.org Subject: [PATCH] accel/ivpu: Add bounds checks for firmware log indices Date: Fri, 29 May 2026 13:58:42 +0200 Message-ID: <20260529115842.135378-1-andrzej.kacprowski@linux.intel.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Add validation that read and write indices in the firmware log buffer are within valid bounds (< data_size) before using them. If out-of-bounds indices are encountered (from firmware), clamp them to safe values instead of proceeding with invalid offsets. This prevents potential out-of-bounds buffer access when firmware supplies invalid log indices. Fixes: 1fc1251149a7 ("accel/ivpu: Refactor functions in ivpu_fw_log.c") Cc: # v6.18+ Signed-off-by: Andrzej Kacprowski --- drivers/accel/ivpu/ivpu_fw_log.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/accel/ivpu/ivpu_fw_log.c b/drivers/accel/ivpu/ivpu_fw_log.c index 337c906b0210..275baf844b56 100644 --- a/drivers/accel/ivpu/ivpu_fw_log.c +++ b/drivers/accel/ivpu/ivpu_fw_log.c @@ -98,6 +98,11 @@ static void fw_log_print_buffer(struct vpu_tracing_buffer_header *log, const cha u32 log_start = only_new_msgs ? READ_ONCE(log->read_index) : 0; u32 log_end = READ_ONCE(log->write_index); + if (log_start >= data_size) + log_start = 0; + if (log_end > data_size) + log_end = data_size; + if (log->wrap_count == log->read_wrap_count) { if (log_end <= log_start) { drm_printf(p, "==== %s \"%s\" log empty ====\n", prefix, log->name); -- 2.43.0